Client Advisory: Cyber Insurance Considerations for New SEC Cybersecurity Rules for Public Companies

fSEC Adopts New Cybersecurity Rules for Public Companies ERA Client Advisory: September 2023 Through the Lens of Cyber Insurance

On July 26, 2023, the SEC adopted final rules regarding the mandatory disclosure of material cybersecurity incidents and cybersecurity risk management, strategy, and governance by public companies (registrants) subject to the reporting requirements of the Securities Exchange Act of 1934. Companies will now need to review their insurance plans and update their corporate governance as it relates to incident response plans and board of directors oversight of cybersecurity risks.

In this client alert, we summarize the new cybersecurity disclosure requirements in the final rules and suggest ways to prepare for compliance with the new requirements from an insurance perspective. While companies will need to review their D&O, cyber, and crime bond insurance policies, this client alert will focus on cyber insurance considerations.

What do the SEC rules require?

  • Disclosure of material cyber incidents:[1] Registrants must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand. Registrants also must disclose the use of third-party service providers in their risk management processes.[2]
  • Disclosure of risk management and strategy related to cybersecurity risks: Registrants must describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing risks from cybersecurity threats.
  • Disclosure of cyber governance: Registrants must identify all Board committees overseeing cybersecurity and how those committees are informed of cybersecurity risks.
  • Registrants must disclose the nature, scope, timing, and the material impact or reasonably likely impact, including its financial condition and impact on operations. 
  • Registrants must provide updates about reported incidents in subsequent periodic reports.  

What do the rules require regarding timing? If a registrant suffers a cybersecurity incident, the company must disclose the event in public SEC filing within four business days of determining that a cybersecurity incident is “material” (not the date it is discovered). The SEC cautioned against unreasonable delays in determining an incident’s materiality to avoid timely disclosure.[1] [2]

What must be included in the content of registrant’s form? The registrant must disclose the nature, scope, timing, and the material impact or reasonably likely impact, including its financial condition and impact on operations. The disclosures are focused on the impact of a material cybersecurity incident, rather than details about the incident itself. The SEC stated that companies do not need to disclose specific or technical information about their planned responses to the incident or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the company’s response to or remediation of the incident.

How may these final rules impact corporations Investor Relations (IR) protocols? According to Johnny Lee, Principal and National Practice Leader at Grant Thornton:

 “Companies will have to integrate their financial reporting teams into their IR protocols to ensure that a traditional materiality determination can even be reached – with as many cogent facts as are available at that time, all under very tight reporting deadlines. And this cycle will need to be refreshed as more facts come to light throughout the incident response. This will require companies to mature their IR controls and practice these things before they can consider themselves ready to meet the challenging requirements of the final rule. It's as much about process maturity than anything else, and – without muscle memory through practice – the unpracticed companies will fall short of the mark.”

What are some of the PR and communications considerations at play?  Sara Sendek, Managing Director at FTI Consulting, shared these tips from her practical experience in guiding companies with effective messaging following the discovery of a cyber incident:

“No organization, big or small, is immune to a cyber incident. If you are an organization that has not been prioritizing and investing in cybersecurity and preparing and practicing cyber response efforts, now is the time. Four days into a cyber incident is lightning speed in many cases. Most of the time, there are still many unknowns – including long-term impacts on the business or operations, as well as any potential data loss. The outstanding question here is how and when a company determines an incident to be material. Regardless, these reporting requirements will significantly change considerations about how to disclose a cyber incident publicly. The downstream effects of this type of disclosure will have wide ranging implications on your communications strategy everywhere from media attention, customer and client communications, employee communications and could even play a role in threat actor communications if a company must show their cards in the early stages of negotiations.

“Organizations should consider who will be leading response efforts in an incident, identify priority stakeholders that will need to be communicated with in the early phases and determine how to handle a more public response to an incident when the narrative is evolving amidst an ongoing investigation with many key facts yet to be identified.

“Removing the requirement for Board members to have cybersecurity expertise is a big win for organizations who want to allow their shareholders to consider Board candidates without respect to specific regulatory requirements tipping the scales one way or another. However, it would be a mistake for companies not to take a serious look at the makeup of their Board. Regardless of whether the SEC requires it, investing in cybersecurity and taking steps to protect against and minimize cyber risk is a MUST. The makeup of a company’s Board members should reflect that reality, and companies should consider what would traditionally be considered non-traditional candidates for Board seats, such as Chief Information Security Officers, to ensure that cyber risk management is well understood and carefully considered at the Board level.”

When will the rules take effect? For the 10-K and Form 20-F disclosures, disclosures will be due with annual reports for fiscal years ending on or after December 15, 2023. For Form 8-K and Form 6-K disclosures, the disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register, or December 18, 2023. Smaller companies have an additional 180 days to comply.

Cyber Insurance Implications: It is important to carefully review cyber insurance and other insurance policies that may help navigate a more aggressive regulatory environment. To help meet compliance obligations following a cybersecurity incident, review your cyber insurance policies to determine coverage for data breach response experts. These experts include privacy counsel, IT forensic investigators, crisis management, forensic accountants and other specialists who are best equipped to quickly and thoroughly investigate and report on matters that require disclosure. Cyber insurance policyholders should also be mindful of obligations to their carriers, which include strict requirements to report incidents in a timely fashion and the use of pre-approved breach response vendors.

Blair Dawson, an experienced breach response counsel with McDonald Hopkins, offered additional guidance regarding cyber coverage and these new regulations. Dawson suggested that with respect to the existing legal fees associated with assessing the incident’s impact and drafting communications to SEC and other regulators, such legal fees should be covered as part of the cyber incident response.  However, costs for ongoing disclosures (e.g., costs incurred by the Investor Relations office) may not constitute covered incident response expenses. There can also be costs associated with an independent financial audit that may be underway or soon to be underway. Those costs may also be covered under the cyber policy as related to the incident response, since the auditors will demand assurances of the integrity of the financial data being audited.

Most public companies have implemented requisite cybersecurity measures to prevent, detect, respond to, and recover from cyber incidents. The new disclosures rules focus on requirements to divulge security plans and measures with more specificity.

Whether or not an organization is subject to the SEC’s regulatory purview, it is prudent for policyholders to follow best practices when it comes to managing cyber risk, including:

  • Officer-level leadership to develop a robust cybersecurity program
  • An informed Board
  • Commitment from senior management to provide necessary resources
  • Regular employee training

Key takeaways:

  • Incident Response Plan: Ensuring teams in charge of cyber incident response and reporting are aware of the new rules.
  • Disclosure Controls: Companies should ensure that their disclosure committees, or those individuals responsible for making materiality and disclosure decisions, are directly connected to the IR team.
  • Record Keeping: Considering the four-day deadline for filing the incident report, companies should carefully document the date on which they determine that an incident is material and the process used to make this determination. This includes recording when those individuals responsible for making materiality and disclosure decisions, executives and directors were initially advised of the incident and when they were updated.[NJ1]
  • Four-Day Trigger: Companies should also be mindful that the four-day disclosure deadline operates independently from any other provisions of law (such as state or local data protection laws) that may permit or mandate a delay in notifying the public about material cybersecurity incidents.
  • Tracking Minor Cybersecurity Incidents for Potential Aggregation. Companies should advise their information security teams of the importance of tracking minor cybersecurity incidents in order to decide whether or not they are related under relevant SEC guidance and would need to be aggregated in the company’s materiality determination with a view to potential public disclosure.

As Blair Dawson notes, "Organizations have always had to take precautions to ensure that they are reporting properly under these types of regulations in order to lessen the legal impact of a cybersecurity event. The new SEC regulation is not generally seen as overly onerous from a timing perspective given that organizations under SEC oversight would be monitoring and reporting on materially impactful events. However, the new SEC regulations put greater responsibilities on the Board of Directors for oversight of cybersecurity risks and related corporate governance. This explicit mandate under the new SEC regulation further cements the importance of securing proper coverage and obtaining advice and guidance from qualified professionals such as the insurance broker and data privacy legal counsel.”

Johnny Lee, Principal & National Practice Leader, Forensic Technology, Grant Thornton LLP.  j.lee@us.gt.com   (404) 704-0144

Blair Dawson, FIP, CIPP/US, CIPP/E, CIPM, Member, McDonald Hopkins, bdawson@mcdonaldhopkins.com, (312) 642.6131

Sara Sendek, Managing Director, Cybersecurity & Data Privacy Communications, FTI Consulting   sara.sendek@fticonsulting.com  (248) 890.3391

1 The new rules define “cybersecurity incident” as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of the company’s information systems or any information residing therein. In the adopting release, the SEC emphasized that the term “cybersecurity incident” is intended to be construed broadly.

2 The SEC expressly declined to limit the relevant “information systems” to those owned, operated or controlled by the company, and instead adopted a definition that includes any electronic information resources owned or “used” by the company, which captures information resources owned or operated by third parties and used by the company, such as systems operated by cloud services providers. Incidents at a third-party service provider that a company knows about or has been informed of could therefore trigger a Form 8-K filing if the incident is determined to be material to the company. The final rules do not require companies to conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with the company’s disclosure controls and procedures.

3 The focus of the disclosure rule is “materiality” – a term not defined in the Rule.  In issuing guidance however, the SEC stated that “materiality” would be consistent with the standard established through the securities laws and interpretive case law i.e., “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information available.’ “Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors.” [Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure p.14 (citations omitted)].

4 Additionally, this is consistent with the time frame provided for in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

 

The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage.

This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.

This bulletin is provided for informational purposes only. McGriff is not providing legal advice and recommends you consult with your own counsel for legal guidance/opinion. The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.